Security Suggestions – The Cloud and Your Data

Posted on 1, Oct | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

The CloudI am often asked to discuss IT and data security as it relates to storing data on the Cloud. Nine out of ten times I am asked two inevitable questions: “What is the Cloud?” and “Where is the Cloud?”. Hopefully I will answer these questions as I discuss ways to keep your data secure on the Cloud.

There are a number of services that allow you to store data on their servers. Examples of these for an individual or a small business are Dropbox, Sharefile, Google Mail, iCloud, Google Drive, Office 365, and many more. These services quite often are automatically connected to you by your smartphone, iPhone, laptop and/or your desktop computer once you initially login. Think about using your phone – you don’t have to type in a password to get your Gmail each time. As long as you can access the email app on your phone, you’re in. This is because you have instructed the app to trust your smartphone as a conduit to get your Gmail. This goes for almost any mail account you access from your device.

Go one step further and consider that you may have an account with Dropbox, Office 365, or Sharefile. The same concept applies – you have instructed the app to trust your smartphone as a conduit. To make matters worse, if you have these accounts available on your laptop or desktop they too are accessible without typing in a password once you have initially logged in. This is most often the case because we have instructed the app to remember our password.

Now that we understand – to just a small degree – what the Cloud is as it relates to most users and what as individuals we may have on the Cloud, let’s discuss how to keep it secure. First, don’t store sensitive information in the Cloud. I am not talking about using the online version of TurboTax, for example. I am referring to storing birth certificates, passports, and other scanned documents with sensitive information. There is nothing wrong with a safe deposit box for items like these.

Don’t use the same password for every account and change passwords regularly. I believe that password security is such an important issue I could write an entire topic on it. By using the same password for email, banking, computer login, online purchases, social media sites, and other activities, you jeopardize the security of all of your accounts if just one gets hacked. Hackers are smart enough to know that if your password to “website.com” is 12345678 and your user name to “website.com” is user@gmail.com, they will try and login to the Gmail account with the password they have uncovered. You should choose a random password and change it at least every 90 days if not sooner.

Consider reading the terms of service or user agreements to find out how the service works. This is very important if you intend to take advantage of a free 30-day trial. It is possible you will not have access to the data after 30 days without paying for the service. Think about encrypting your data or utilizing a service that includes encryption with data storage.

These are just a few suggestions for securing your data on the Cloud, and this is only a starting point.
I am not suggesting that no one should use the Cloud for storing data. For the most part, everyone who uses a computer, smartphone, or tablet is using the Cloud already. The Cloud can be an efficient way to centralize and share data with authorized users. I am suggesting you use it wisely, securely, and with the knowledge that you have done everything possible to protect the data you put on the Cloud.

Continue reading

ASIS Chapter 119 and Region 4B Women in Security Meeting

Posted on 10, Sep | Posted by RMA

The second quarterly ASIS Chapter 119 and Region 4B Women in Security meeting was hosted by Risk Management Associates on Wednesday, September 10, 2014. Anita Jelley of ProNet Systems was instrumental in setting the meeting. Russell Gilmore CISSP, CISM, EnCE of RMA gave an informative presentation on Computer Forensics. RMA had a big turnout of attendees that included Christine Peterson, Dana Frentz, and Tasha Dyson. Christine Peterson, provided registration/handouts to the group for the upcoming NC Piedmont Chapter 82 seminar being held October 27-28. For more information on ASIS Chapter 119 Women in Security, please contact Dana Frentz.

Continue reading

RMA attends Piedmont Advantage Credit Union Grand Opening

Posted on 14, Aug | Posted by RMA

RMA President, Christine Peterson attended the Grand Opening Celebration of Advantage Way, the new corporate headquarters and flagship branch of the Piedmont Advantage Credit Union in Winston-Salem, North Carolina on August 14, 2014. This flagship branch provides the credit union with the opportunity to better serve existing and future Members in Winston-Salem.

Continue reading

Third Annual ASIS Seminar and Exhibits Conference

Posted on 30, Jun | Posted by RMA

On June 24, 2014, the local ASIS Chapter 119 held their third annual ASIS Seminar and Exhibits Conference at the PNC Arena in Raleigh, NC. There were four guest speakers who discussed a variety of security and safety related topics. The speakers were Glen Faber of Purdue Pharmaceuticals, Frank Pisciotta of Business Protection Specialists, Floyd Allen of Global SIGMA Academy of Safety & Security, and Lou Velasco of the FBI. There were 18 vendors with booths exhibiting the latest technology in the security industry. The conference was a huge success, and there were over 100 people who registered and attended the sessions. Attendees received certification credits related to the ASIS CPP, PSP, and PCI for attending the conference. It is the local chapter’s plan to continue to grow this one-day conference and seminar.

Continue reading

Security Assessment at Appalachian State University

Posted on 30, May | Posted by RMA

The specific objective of this project was to provide the University with a “snapshot” of the existing security program in place at the BB Dougherty Administration Building, any gaps in the program, and potential responses to the gaps identified. Security policy, procedures, systems and organization were examined for level of technology, appropriate application, and the efficiency and effectiveness of deployment. Consultants prepared specific recommendations to address the deficiencies or gaps identified. Recommendations addressed each threat/vulnerability in a practical and pragmatic manner.

Appalachian State University is nestled in the Blue Ridge Mountains of North Carolina. Appalachian State University offers a challenging academic environment, energetic campus life and breathtaking location. Appalachian combines the best attributes of a small liberal arts college with those of a large research university. Known for its value and affordability, Appalachian enrolls about 17,000 students and offers more than 150 undergraduate and graduate majors. Small classes and close interactions between faculty and students create a strong sense of community, which has become an Appalachian hallmark. Appalachian, located in Boone, N.C., is one of 16 universities in the University of North Carolina system.

Continue reading

NC companies’ secrets at risk, cyber terrorism experts say

Posted on 22, Jul | Posted by RMA

In this day and age, sometimes it is difficult to discern truth from fiction. Greg Baker is an expert in the area of cyber terrorism and a leader in developing public/private relationships that work. In the later years of his career with the FBI, he was the face of InfraGard North Carolina.

InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.

We recommend this article on cyber terrorism and data theft. Both Greg Baker and Ryan Johnson provide good insight on the problem and steps that can be taken to lessen the possibility of your company becoming a victim of this costly crime. Take stock in what your company should do to enhance the security surrounding its sensitive and important data. Do some research and don’t be afraid to ask questions. It can be beneficial to have someone from the outside review and analyze the strengths and weaknesses of you company’s network and provide advice on what steps can be taken to secure your company network, systems, and data.

Whether a company works on classified contracts or not they are at risk of cyber terrorism. Most of the time, companies do not even realize that they may be a target. No one wants to find out that their systems have been compromised, but most either have or will be. How does your company address its cyber vulnerabilities?

Read the original article here.

Meat, tobacco, furniture and surgical products are just a few of the North Carolina exports booming in the Chinese market. North Carolina businesses’ secrets are also in high demand overseas, and cyber terrorism experts say many companies are not doing enough to fend off hackers.

Continue reading

Situational Awareness Information Bulletin

Posted on 29, Jan | Posted by RMA

JosephDeanHillBetween December 26, 2012 and January 10, 2013, the below identified subject was able to breach security at two identified private sector facilities and two Government facilities in the Raleigh/Durham/Chapel Hill area.

Joseph Dean Hill
Aliases: Mark, Mark Johnson, Joseph Turnag

The identified subject was observed operating a black Nissan Pathfinder with NC plate BEK-9106 in two of the incidents. The subject also has a 2004 Nissan Maxima registered in DMV with NC plate XNM-6071.

It is believed he piggy-backed off employees and/or used social engineering techniques to gain access to secure areas. In each incident, the subject gave Security false names and explanations for his presence at their facility. During each encounter, the subject was confronted by Security and escorted off the premises.

The subject has been subsequently confronted by local, state and federal law enforcement about these incidents at which time he could not provide a credible explanation for his actions.
JDHill-cctv1JDHill-cctv2

 
 
 
 
 
 
 
If your agency has information that this subject has made attempts or succeeded in breaching security at other facilities in your jurisdiction, please contact the NC Information Sharing and Analysis Center (ISAAC) at 919-716-1111, or by email at NCISAAC@ncdoj.gov.
Continue reading

Items in Cars – Asking for Trouble

Posted on 10, Dec | Posted by Teresa Ivey

bag in carWhat concerns me is how individuals will leave GPS, phones, iPods, purses, money, and other items of value in their cars – in plain view. They may say, “well, I don’t have anything in my purse” or “my GPS is old.” Someone just walking by your car does not know that the purse may be empty or the GPS may not work – all they are thinking about is getting in, grabbing something, and getting out quickly!

Then the recovery process and headaches for the owner begin. The thief breaks the window to get in, steals something, and possibly does other damage to the vehicle. You have to call your insurance company, file a claim (your insurance may or may not go up), schedule to have repairs done to vehicle, take time to have your vehicle repaired, take time off work – not to mention all the headaches if a credit card was stolen. By just leaving something out where it can be easily seen, you are asking for trouble.

Remove all objects from view whenever you leave your vehicle. Always, always lock your doors – even in your own driveway. There have been so many break-ins while the vehicle is parked in someone’s driveway.

It’s sad that we have to live like this, but we all need to understand that things are different than years ago.

Continue reading

Access Control – Keys to the Building

Posted on 8, Nov | Posted by Kevin M. McQuade, CPP

Access Control - Prox ReaderAs most of us know, an access card or credential is a key to gain entry to a parking lot, building, or other secured space.

Why then do so many people leave their card in their car after work?

Some even hang them from their mirror. When I ask, the response I usually get is “it is more convenient and I know where it is at all times.” I have even heard security personnel within an organization say that they have two or more cards in a system and that they leave one in the car at all times as a spare.

Really?

This may be okay if you carry a plain card with no company logo or markings on it indicating where you work, but the cards that do have some information on them could be taken and abused probably before you even know that they are missing.

Access cards need to be treated just like a key to your house.

I don’t think most people would leave their house keys hanging from the rear view mirror.

Continue reading

Digital Message Resonance and Its Impact on Economic Advantage

Posted on 25, Apr | Posted by Christine L. Peterson, CPP, ISP

Using Social Media Monitoring and Analytics to Protect Human Capital, Company Property, and Your Brand

Social Media is a relatively new term that has become ingrained in our consciousness and language, but do you know what it means or encompasses? If you answered no, then you are in the majority. Everyone talks about Social Media, but few really understand it. Here is what Wikipedia, itself a social media site, has to offer us on the subject:

Definition: Social media includes web-based and mobile technologies used to turn communication into interactive dialogue. Andreas Kaplan and Michael Haenlein define social media as “a group of Internet-based applications that build on the ideological and technological foundations of Web 2.0, and that allow the creation and exchange of user-generated content.” (Source: Wikipedia)

As the Wikipedia authors explain, social media interaction is not just conversation: it is the
“super-set” of social dialogue. Social media is not news – it is a data set that describes public consciousness. “Enabled by ubiquitously accessible and scalable communication techniques, social media has substantially changed the way organizations, communities, and individuals communicate.” (Source: Wikipedia)

The Forms of Social Media

As the experts have outlined the subject, social media technologies take on many different forms including magazines, Internet forums, weblogs, social blogs, microblogging, wikis, podcasts, photographs or pictures, video, rating and social bookmarking. By applying a set of theories in the field of media research (social presence, media richness) and social processes (self-presentation, self-disclosure) Kaplan and Haenlein created a classification scheme for different social media types in their Business Horizons article published in 2010. According to Kaplan and Haenlein there are six different types of social media: collaborative projects (e.g., Wikipedia), blogs and microblogs (e.g., Twitter), content communities (e.g., YouTube), social networking sites (e.g., Facebook), virtual game worlds (e.g., World of Warcraft), and virtual social worlds (e.g. Second Life). Technologies include blogs, picture-sharing, vlogs, wall-postings, email, instant messaging, music-sharing, crowdsourcing and voice over IP, to name a few. Many of these social media services can be integrated via social network aggregation platforms.

What Does Social Media Mean To You?

Social media has changed and continues to change the world as we know it. Is that true? Let’s consider the facts:

Service Users or members Content, data, or usage
Facebook 845 million active users 50% log in on any given day
Twitter 140 million users; 460,000 join daily 340 million tweets daily
LinkedIn® 150 million registered users Roughly 2 new members every second
YouTube™ 800 million unique users per month Over 4 billion videos are viewed a day
Flickr ® 51 million registered members More than 6 billion images
Google+™ 25 million users About 1 million visits per week
Wikipedia® 16 million users, 300,000 editors Hosts 19 million articles
Data current as of April 2012.  
   

Including the thousands of other chat rooms, blogs, forums, newsgroups, and user groups, there are millions of additional social media users around the world. The people who are utilizing social media are your employees, customers, competitors, family, friends, activist groups, governments, and others. This technology is so powerful that it is used for everything from keeping in touch with friends to starting revolutions.

In this white paper we will discuss the state-of-the-art technology and tools that monitor social media for business intelligence purposes, including but not limited to the identification and monitoring of threats to the business and its personnel. Some organizations have already begun to harness the power of this technology in an attempt to exploit a market that is more often than not misunderstood.

While Google Alerts™, Google Web Search™, and low-level social media monitoring tools are of some use as a research aid in risk management, the most professional tools in this area are highly advanced and focus on analyzing information in near real-time from sources on the web.

Why are you in business?

As a business manger or owner, your business exists today because your customers’ expectations are in alignment with the value proposition or economic advantage that they expect to receive as part of the transaction with your firm. What is your value proposition or economic advantage?

  • Proprietary information (secret sauce)
  • Intellectual property
  • Customer/project information
  • Plans and specifications (marketing, R&D, financials)
  • Logistics
  • Human capital, “talent and experience”
  • Brand and reputation
  • Partners and suppliers
  • Physical assets

We know that businesses are leaking economic advantage every day through elicitation and social engineering, the exploitation of cyber vulnerabilities, and internal and external theft and sabotage. Traditionally, leakage has been in the form of a verbal, written, or e-mail disclosure which can and does wreak havoc for businesses every day. The new paradigm of leakage uses social media to communicate a message to an exponentially larger audience at the touch of a button. This is digital message resonance – or the ability of a message to continue propagating or resonating across the Internet and social media sphere long after the initial message was sent. Leakage in the traditional sense can have devastating effects, but it moves slower and is easier to track and contain. In the new era of digital message resonance, a single message can be transmitted to literally millions of people around the globe in a matter of seconds or minutes.

Traditional Model of Leakage New Paradigm of Leakage
   

As a security, HR, marketing, management, or finance professional, you may believe that a comprehensive security and compliance program utilizing traditional methods of perimeter control, access control, lighting, casual surveillance, security communications, identification, accountability, and training should apply to this new threat. To that, we would also agree – to a point. The traditional tools are critical to the protection of economic advantage and company assets. We would also assert that the world has changed. There are additional security threats and tools to mitigate those threats, but they are cutting-edge and have to remain dynamic. Can your business afford to take a “wait and see” position with respect to social media?

Beyond Monitoring: The Next Step

Social Media Business Intelligence, as applied to business groups, refers to the tools and practices used by organizations to aggregate social media data, gathered via social media monitoring tools and social analytics engines, with existing data and integrate with systems of records and real-time analytics engines. The results are actionable insights that provide businesses with new information on their customers, products, competitors, employees, and even their marketing campaigns that can be used to protect assets and economic advantage while improving the value proposition offered to customers and potential customers. Using this information to proactively predict and anticipate customers’ needs while protecting assets in near “real time” is the value of Social Media Business Intelligence.

The RMA solution allows you to scour the web for mentions of your company and effectively analyzes, processes and stores this data to implement it with existing business processes. It enables businesses to harness the power of social media to support corporate compliance, current threat intelligence, operational security, and event security. At the same time this information will assist management across departments and division to better understand their “value add” proposition with their customers, employees, vendors, community as it relates to their economic advantage.

The RMA solution uses social media business intelligence software to monitor what people are saying about your business in social media, primarily for the purpose of anticipating and mitigating security threats before they occur and for responding to security related issues effectively and efficiently to minimize losses and maximize productivity. At the same time, it can also be used to monitor what people are saying about your brand, industry, and competition.

The RMA solution uses intelligence gathering software that computes dozens of dimensions including sentiment, passion, volume, and much more. It provides access to business intelligence that will allow you to lead – not follow – the conversation and fix those small issues before they grow into big problems.

Summary

Social media and web-based analytics provide powerful tools to conduct 24/7 monitoring of existing and emerging threats for Risk Management Associates, Inc. clients.

The RMA solution provides “cutting-edge” scalable technology and analytics. Technology cannot replace training and experience, but it does create an effective method of gathering pertinent information quickly that can be validated and or discounted effectively.

Your businesses can then harness the power of social media to manage corporate compliance, current threat intelligence, operational security, and event security.

Data gathered can be communicated for application across departments and divisions. The RMA solution provides current intelligence that has applicability in multiple departments and divisions within the organization. This provides better understand of “value add” proposition with their customers, employees, vendors, community as it relates to economic advantage.

The RMA solution uses intelligence gathering software that provides clients with an additional tool to protect and demonstrate compliance in this age of digital resonance. Economic advantage like reputation is elusive and once lost very difficult to reclaim. The RMA solution provides an additional tool and layer of security. It provides access to current business intelligence that allows leaders to lead – not follow – the conversation, fix those small issues before they grow into big problems, and preserve evidence that has a short life span.

Risk Management Associates, Inc. utilizes the best technology and the best practices in web-based and social media monitoring, analysis and business intelligence. We look forward to answering any questions you may have about the topics presented in this paper or other security issues that are important to you.

Continue reading